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(54) A method for authentification item 

(57) A memory containing an authenticated search 
tree that serves for authenticating membership or non 
membership of items in a set. The authenticated search 
tree including a search tree having nodes and leaves 
and being associated with a search scheme. The nodes 
including dynamic search values and the leaves includ- 



ing items of the set The nodes are associated, each, 
with a cryptographic hash function value that is pro- 
duced by applying a cryptographic hash function to the 
cryptographic hash values of the children nodes and to 
the dynamic search value of the node. The root node of 
the authenticated search tree is authenticated by a dig- 
ital signature. 
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Description 

FIELD OF THE INVENTION 
5 [0001] The present invention is in the general field of digital signature for authentication purposes. 
BACKGROUND OF THE INVENTION 

[0002] The wide use of public key cryptography requires the ability to verify the authenticity of public keys. This is 
10 achieved through the use of certificates (that serve as a mean for transferring trust) in a Public Key Infrastructure (PKI). 
A certificate is a message signed by a publicly trusted authority (the certification authority, whose public key authenticity 
may be provided by other means) which includes a public key and additional data, such as expiration date, serial 
number and information regarding the key and the subject entity. 

[0003] When a certificate is issued, its validity is limited by an expiration date. However, there are circumstances 
is (such as when a private key is revealed, or when a key holder changes affiliation or position) where a certificate must 
be revoked prior to its expiration date. Thus, the existence of a certificate is a necessary but not sufficient evidence 
for its validity, and a mechanism for determining whether a certificate was revoked is needed. 
[0004] A typical application is a credit card system where the credit company may revoke a credit card, temporarily 
or permanently, prior to its expiration, e.g. whenacard is reported stolen or according to its user's bank account balance. 

20 

PRIOR ART DISCUSSION: 

Certificate Revocation List (CRL) 

25 [0005] A CRL is a signed list issued by the CA identifying all revoked certificates by their serial numbers. The list is 
concatenated with a time stamp (as an indicatbn of its freshness) and signed by the CA that originally issued the 
certificates. The CRLs are sent to the directory on a periodic basis, even if there are no changes, to prevent the malicious 
replay of old CRLs instead of new CRLs. 

[0006] As an answer to a query, the directory supplies the most updated CRL (the complete CRL is sent to the 
30 merchant). 

• The main advantage ofthe scheme is its simplicity. 

• The main disadvantage of the scheme is its high directory-to-user communication costs (since CRLs may get very 
35 long). Another disadvantage is that a user may not hold a succinct proof for the validity of his certificate. 

[0007] A reasonable validity expiration period should be chosen for certificates. If the expiration period is short, 
resources are wasted reissuing certificates. If the expiration period is long, the CRL may get long, causing high com- 
munication costs and difficulties in CRL management Kaufman et al. [1 5, Section 7.7.3] suggested reissuing all cer- 
40 tificates whenever the CRL grows beyond some limit. In their proposal, certificates are marked by a serial number 
instead of an expiration date. (Serial numbers are incremented for each issued certificate. Serial numbers are not 
reused even when all certificates are reissued.) The CRL contains a field indicating the first valid certificate. When all 
certificates are reissued, the CRL first valid certificate field is updated to contain the serial number of the first reissued 
certificate. 

45 

Certificate Revocation System 

[0008] Micali (18) suggested the Certificate Revocation system (CRS) in order to improve the CRL communication 
costs. The underlying idea is to sign a message for every certificate stating whether it was revoked or not, and to use 

so an off -line/on-line signature scheme [1 1 ] to reduce the cost of periodically updating these signatures. 

[0009] To create a certificate, the CA associates with each certificate two numbers (/ 365 and N) that are signed along 
with the 'traditional' certificate data. For each certificate, the CA chooses (pseudo) randomly two numbers N 0 Y 0 and 
computes (using a one-way function f) Y^ s = f** (T^and N= w (Actually, a stronger assumption on / is required, 
e.g. that /is one-way on its iterates, i.e. that given y= P(x)* is infeasible to find x' such that y= f (x 1 ). This is automatically 

55 guaranteed if / is a one-way permutation.) 

[001 0] The directory is updated daily by the CA sending it a number C for each certificate as follows: 

1 . For a non-revoked certificate, the CA reveals one application of f. i.e. C = = f 36 ^ ( V 0 ). where ' is a dail V 
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incremented counter, / = 0 on the date of issue. 
2. For a revoked certificate, C= N 0 

[001 1] Thus the most updated value for C serves as a short proof (that certificate x was or was not revoked) that the 
directory may present in reply to a user query x. 

• The advantage of CRS over CRL is in its query communication costs. Based on Federal PKI (Public Key Infra- 
structure) estimates, Micali [18] showed that although the daily update of the CRS is more expensive than a CRL 
update, the cost of CRS querying is much lower. He estimated the resulting in 900 fold improvement in total com- 
munication costs over CRLs. 

[0012] Another advantage of CRS is that each user may hold a succinct transferable proof ofthe validity of his cer- 
tificate. Directory accesses are saved when users hold such proofs and presents them along with their certificates. 

• The main disadvantage of this system is the increase in the CA-to-directory communication (it is of the same 
magnitude as directory-to-users communication, where the existence of a directory is supposed to decrease the 
CA's communication). Moreover, since the CA's communication costs are proportional to the directory update rate 
CA-to-directory communication costs limit the directory update rate. 

[0013] The complexity of verifying that a certificate was not revoked is also proportional to the update rate For 
example, for an update once an hour, a user may have to apply the function, f, 365 x 24 = 8760 times in order to verify 
that a certificate was not revoked, making it the dominant factor in verification. 

Certificate Revocation Trees 

[0014] Kocher [16] suggested the use of Certificate Revocation Trees (CRT) referred to also as authentication tree 
in order to enable the verifier of a certificate to get a short proof that the certificate was not revoked. A CRT is a hash 
tree with leaves corresponding to a set of statements about certificate serial number X issued by a CA CA y The set 
of statements is produced from the set of revoked certificates of every CA. It provides the information whether a cer- 
tificate X is revoked or not (or whether its status is unknown to the CRT issuer). There are two types of statements- 
specifying ranges of unknown CAs, and, specifying certificates range of which only the lower certificate is revoked 
For instance, if CA 1 revoked two certificates, X1 < X2, than one of the statements is: 

if CA X = CA 1 ar\dX 1 <X< X 2 then X is revoked ifX= v 

[0015] To produce the CRT, the CRT issuer builds a binary hash tree [17] with leaves corresponding to the above 
statements 

[0016] A proof for a certificate status is a pah in the hash tree, from the root to the appropriate leaf (statement) 
specifying for each node on the path the values of its children. 

• The main advantages of CRT over CRL are that the entire CRL is not needed for verifying a specific certificate 
and that a user may hold a succinct proof of the validity of his certificate. 

• The main disadvantage of CRT is in the computational work needed to update the CRT. Any change in the set of 
revoked certificates may result in re-computation of the entire CRT. 
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GLOSSARY 

r0O1 8] There follows glossary of terms some of which conventional and others have been coined: 
0019 Certification Authority (CA) - A trusted party, already having a certified public key. response for estab- 
ishing and vouching for the authenticity of public keys and/or other information such as credrt card numbers 
r00201 A CApreferably, but not necessarily, does not provide on-line certificate information services to users. Instead, 
t updates a directory on a periodic basis). As will be shown below in some embodiments directories are ^nol : used 
[00211 A CA issues certificates for users by a message containing the certificate serial number relevant data and an 
expiration date. The certificate is sent to a directory and/or given to the user. The CA may revoke a cert.f.cate prior to 
its expiration date. Certificate is by no means bound to the latter definition and may encompass data pertam Ao e.g 
one or more (such as range of) public key(s), credrt card number(s), and others; presented erther ,n 
after having been subject to a function such as encoding or encryption, (the term ,tem and certificate ate used in the 

specification interchangeably) f^th-ri 

[0022] Directory - : One or more non-trusted parties that get updated certrficate revocation information from the CA 
and serve as a certificate database accessible by the users. infftrmfl ti 0 n 
[0023] yser-Anon-trustedpartythatreceivesitscertificatefromtheCAandissuesqueriesforcert.ficateinformation. 

User should be construed as encompassing among others: 



(i) a merchant who queries the validity of other users" ceuuiwuco, 

(ii) a user who gets proof of the validity of his/her certificate for using it vise-vis other users. 

r0024] Search free - A well known data structure that is associated with search scheme which enables to construct 
a sea ch path in the tree, from the root to a sought item (associated with a leaf). The search path exp.orts search va^es 
that reside in the tree nodes and possibly a.so in the links. Search tree is inherently designed to handle update trans- 
actions (i.e. delete and/or insert items to the tree). Typical, yet not exclusive, examples of search trees being. 2-3 tree, 
Btree, Btree+, TriS, treaps and others. 

[0025] Update Transactions - Insert new item to a tree; delete existing item in a tree. 

[0026] Authentication Tree - a rooted tree where each internal node authenticates the values of its children by 
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means of a cryptographic hash function and the root is authenticated by means of a digital signature Typical vet not 
exclusive, example is illustrated in the Merkle patent 
[0027] Cryptographic hash function- includes: 

- (i) collision intractable function h() such that it is computationally essentially infeasible to find y*x satisfying h(x) 
=h(y). Typical, yet not exclusive example is illustrated in the Merkle patent; or 

(ii) universal one way hash function h() such that there exists a family of functions h() such that for every x and 
random h() from the family, it is computationally essentially infeasible to find y*x satisfying h(x)=h(y) (for detailed 
discussion in (I) and (II), see [6]). y v 

■) 

SUMMARY OF THE INVENTION 

[0028] There is, accordingly, a need in the art for eliminating or substantially reducing the drawbacks associated with 
hitherto known techniques by providing a novel technique for authenticating items. 

- [0029] The present invention incorporates the utilization of conventional authentication trees as well as conventional 
search trees such as 2-3 tree or Btree. The utilization of search trees enables to authenticate an item (or items) whilst 
obviating the need to transmit a large amount of data to this end. The utilization of the authentication tree according 
to the prior art, enables to transmit a series of revoked, (or otherwise) valid items. 

[0030] The major drawback of using an authentication tree, e.g. of the kind disclosed in the Merkle patent arises 
when the latter is subject to modification transactions. The latter bring about new arrangement of items in the leaves 
and, consequently, (as will be exemplified below), necessitates the modification of the values of multitude nodes (here- 
inafter modified nodes) in the tree. 1 
[0031] Not only is an extensive computation required in order to update the values of the modified nodes but also 
by utilizing an authentication high communication overhead is imposed when the multitude values of said modified 
nodes are transmitted over the communication network, e.g. from the CA to the directory. Considering that such mod- 
iSblT^ ° CCUr qUi9t ,reqUent ' y ' th9 SpSCif iQd ° Vertiead renders the use of P rior art authentication trees commercially 
[0032] According to the invention, a conventional authentication tree is "superimposed" on conventional search tree 
(bringing about authentication search tree) benefiting thus both from the inherent advantages of the authentication tree 
insofar as authent.cating items is concerned and from the limited changes that are imposed on the tree nodes due to 
the search tree structure. 

[0033] Accordingly, the present invention provides for a memory containing an authenticated search tree that serves 
for authenticating membership or non membership of items in a set; the authenticated search tree, comprising: 

a search tree having nodes and leaves and having associated therewith a search scheme; the nodes including 
dynamic search values and the leaves including items of said set; the nodes are associated, each with a crypto- 
graphic hash function value that is produced by applying a cryptographic hash function to at least: (I) the crypto- 
graphic hash values of the children nodes and (II) the dynamic search value of said node' 
at least the root node of said authenticated search tree is authenticated by a digital signature. 

[0034] Still further the invention provides for a method for authenticating membership or non membership of items 
in a set; comprising: 

(i) providing an authenticated search tree of the kind specified; 

(ii) authenticating at least one item of said set by computing the authentication path as induced by said at least 
one item and the root. 

[0035] Still further the invention provides for a method for updating at least one item of a set in an authenticated 
search tree, comprising: 

(i) providing a search authenticated tree of the kind specified;; 

(ii) updating said search tree so as to obtain updated nodes; 

(iii) computing an authentication path as induced by said updated nodes; and 

(iv) authenticating at least said root modified node by a digital signature.' 

[0036] It should be noted that the specified order does not necessarily imply that in iterative procedure all the steps 
are performed in each iteration. Thus for example the steps (ii) and (iii) may be performed in each iteration and step 
(iv) may be applied once at the last iteration. This, likewise, applies to the other aspects of method and system as 
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described herein. 

[0037] The invention further provides a system for authenticating/updating mutate mutandis. 
BRIEF DESCRIPTION OF THE DRAWINGS 
5 [0038] The invention will now be described, by way of example oniy with reference to the accompanying drawings, 
in which: 

Fig 1 illustrates an authentication tree according to the prior art; 
10 Figs. 2A-B illustrate a search authenticated tree according to one embodiment of the invention; 

Fig 3 illustrates a system configuration according to one embodiment of the invention; 
Fig. 4 illustrates a system configuration according to another embodiment of the invention; and 
Fig. 5A-B illustrate a manner in which a search authenticated tree is updated according to the embodiment of Fig. 4. 

75 DESCRIPTION OF SPECIFIC EMBODIMENTS 

[0039] Attention is first directed to Fig. 1 illustrating an authentication tree according to the prior art e.g as disclosed 
in the specified Merkle patent, the contents of which are incorporated herein by reference 

[0040] Consider, for example, that certificates Y, to Y 8 stand for a certificate hst (CL) f^^^Ta 
zo \ use! wants to use his credit card Y 5 in a commercial transaction a f ™^.^ rf^^^ 

directory that holds the authentication tree (i.e. authentication tree in respect of valid credit cards Y, to Y£ the kind 
disclosed in Fig. 1 . It is recalled that the directory is an un-trusted party and therefore the merchant wants to verrfy that 

^TthTc^ 

2 s to credit card number, e.g. in ascending order. Thus, in order to authenticate Y 5 , ,t is suff.cent for the d, rectory to 
transmitted merchant tree leaf and node values Y 5 , H(6,6.Y). H(7,8,Y) and H(1 4 Y), 

H(1 8 Y) was previously authenticated, e.g. using a digital signature. Of course, addrtional tree values may be trans- 
m tted but as will be appreciated from the description below transmitting additional tree values is absolute y redundant. 
™42] Thus in order to authenticate Y 5 , the merchant (knowing a priori H()) cafculates the authent.cation path, 
so Sy,H(55Y ){ ont h ebasis 0 fY 5 )andont h e ba sisofH(5,5 

H(5,6 Y). The latter, along with so receded H(7,8,Y) give rise to H(5,8,Y). The latter a.ong ^^^^ 
give rise to H(1,8,Y) which is subject to PK. technique (e.g. applying the pubhc ^^^^^^ 
the previously authenticated H(1 ,8,Y) value and in the case of match, rt is assured that the item Y 5 belongs to the list 

as £££ ^SStage of the authentication tree is, of course, that only few tree node values were transmitted to the 

for authenticating items in respect of prior art authentication tree applies also to the search authenticated tree of the 

[ n oS4]° n The major drawback of the authentication tree of Fig. 1 arises when the latter is subject to modify ^ransaction, 
40 e.g. when new credit card is added to the list at the CA. Suppose that new Jem Y, such that Y4 < Y4. < ^s * added 
The resulting authentication tree (not shown) will necessitate extenswe update of most of the nodes «n the tree and 
undue transmission overhead of the updated information, which is obviously undes.red, particularly when bearing ,n 
mind that the rate of updating the CA with new items is as a rule quiet high. roMinn , ist , CR n which 

[0045] The advantages and disadvantages equally apply when considering a certificate revocation hst (CRL) which 
45 holds the invalidated or revoced items (e.g. invalid credit cards h ^ imont nf thP invention uti- 

[0046] Considering now an exemplary search authenticated tree according to one embodiment of the invention uti 
izing e g. a 2-3 search tree with a CRL (e.g. a list of revoked credit cards held at the leaves, See Fig. 2A-BJ 
W47] In this connection it should be noted that the invention is, by no means, bound to the actual real zation of he 
searcn tree and any known technique that is utilized to this end is applicable, a., as re ^f f^^fP^' 3 ^ ^^aves 
50 upon the particular application. Thus, by way of non limiting example, any manner of holding the items in the leaves 
is applicable, e.g. as records, link list, tree, of bfocks (in the case of long item) etc. This statement is hkew.se val.d to 

£^TC!S ^particular embodiment, a 2-3 tree is maintained with leaves corresponding to the revoked , cer- 
Ss- seria numbers <c1 -c7) in increasing order. (In a 2-3 tree every interior node has two or three chUdren an i he 
55 paths from root to .eaves have the same length). Testing membership and modifying, i^f 1 ^^ 
a single element are done in logarithmic time, where the modification affects only the "^J^S; 
For a detailed presentation of 2-3 trees see [1, PP .169-180].) The property of 2-3 trees .s that tes s^nmMtetan 
involve only changes to nodes on a search path, i.e. every change is local and the number of affected paths is small. 
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[0049] The tree may be created either by inserting the serial numbers of the revoked certificates one by one into an 
initially empty 2-3 tree, or, by sorting the list of serial numbers and building a degree 2 tree with leaves corresponding 
™cof er L al nUmb6rS ' n the S ° rted ' iSt < because the communication complexity is minimal when the tree is of degree 2) 
[0050] Every tree node is assigned a value according to the following procedure: 

• Each leaf stores a revoked certificate serial number as its value. 

• The value of an internal node is computed by applying the cryptographic hash function HQ to the values of its 
children and to at least the dynamic search values of the internal node (which encompasses also link whenever 
applicable). Whilst it is not obligatory, the cryptographic one way hash function H() may also be applied to infor- 
mation, other than the dynamic search values that are associated with the node, e.g. information relevant for 
balancing the tree etc. 

[0051] Unlike the collision intractable function, applying the universal one way hash function to the internal nodes in 
the manner specified, necessitates utilization of unique function for each node. For the latter case, it is required to 
authenticate in addition to the above referred to values of the children and the dynamic search values of the internal 
node, also the unique value of the function that is associated to the internal node. 

[0052] There follows now a description that pertains to modifying the search authenticated tree according to one 
embodiment of the invention. 

[0053] Thus, in order to delete an item, a conventional 2-3 delete item step is executed, namely: 

^Delete each expired certificate serial number from the 2-3 tree, updating the values of the nodes on the deletion 

[0054] Likewise, in order to insert an item, a conventional 2-3 insert item step is executed, namely: 

2. Insert each newly revoked certificate serial n umber into the tree, updating the values of the nodes on the insertion 
path. 

[0055] During tree update, some new nodes may be created or some nodes may be deleted due to the balancing of 
™«T tfee ' Th6Se n ° deS ° CCUr ° nly ° n thS S6arCh path foran 'nserted/deleted node (hereinafter: modified node) 
[0056] The certification authority authenticates the tree by authenticating the root and to this end, only the search 
path that is induced by the modified nodes should be computed. 

[0057] For a simpler implementation of thesearch authenticated tree, other trees, e.g. random treaps [2] may be 
used instead of 2-3 trees. Treaps are binary trees whose nodes are associated with (key, priority) pairs The tree is a 
binary search tree with respect to node keys (i.e. for every node the keys in its left (resp. right) subtrees are small 
(resp. greater) than its key); and a heap with respect to node priorities (i.e. for every node its priority s higher than its 
descendents' priorities). Every finite set of (key, priority) pairs has a unique representation as a treap. In random treaps 
priorities are drawn at random from a large enough ordered set (thus, they are assumed to be distinct) 
[0058] Seidel and Aragon [2] present simple algorithms for membership queries, insert and delete operations with 
expected time complexity logarithmic in the size of the set S stored in the treap. Random treaps may be easily converted 
into authenticated search data structures similarly to 2-3 trees. The communication costs of these schmes is similar 
since the expected depth of a random treap is similar to its 2-3 tree counterpart. 

" of2 3 freest" 1396 * * ***** imp,ementation is much more sim P |e than tne implementation 

• A drawback of using random treaps is that their performance is not guaranteed in worst case e g some users 
may (with low probability) get long authentication paths. 

• Another drawback is that a stronger assumption is needed with respect to the directory. The analysis of random 
treaps is based on the fact that the adversary does not know the exact representation of a treap A dishonest 
directory with ability to change the status of certificates may increase the computational work and communication 
costs of the system. 

[0059] The operation of a system of the invention will be exemplified in one non-limiting sequence of operation which 
refers to an embodiment of the invention as depicted in Fig. 3. 

Generally speaking there is provided a method in a CA, directory, user scheme, including the steps of: 
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(a) the user providing to a directory a list of at least one item for authenticating membership or non membership 
£)Thel^^ 

item; the directory further transmitting said authenticated root; and 
(c) the user verifying said items. 

Still further there is provided a method in a CA directory user scheme comprising the steps of: 
the CA executing: - 

(i) updating said search tree so as to obtain updated nodes; 

(ii) computing an authentication path as induced by said updated nodes; and 

(iii) authenticating at least said root modified node by a digital signature; 

(iv) transmitting modified parameters to said directory; the directory executing: 

ffl applying said modification parameters, so as to obtain authenticated directory root value; 
(ii) verifying that the authenticated CA root value matched the authenticated directory value. 

[0060] A specific description of the general aspect above will now be described: 

CA Operations 

[0061] 

. Creating certificates: The CA produces a certificate by authenticating a message containing certificate data (e. 
g. user name and public key), certificate serial number and expiration date. 

. initialization: The CA creates the 2-3 tree, as above, for the set of initially revoked certificates^ It computes . and 
tore the values of all the tree nodes and sends to the directory the (sorted) lis. of revoked certrficate serial 
numbers along with a signed message containing the tree root value, the tree height and a time stamp. 

. Updating: The CA updates the tree by inserting/deleting certificates from it. After each M^dh- 
duced nodes are updated and the authenticated path is calculated accord.ngiy. Tc ' "P^^T^tnLctonJ 
sendsamodificationparameters. The latter may be for example the list of induced nodes, the list of the transaction^ 
f "act mSicatbn parameter encompass any kind of information that enables the directory to update the tree at 
theory ^^authentSalinfl the root encompasses of course the new root value but may ..kew.se 
include other authenticated information e.g. tree height and time stamp. 

Directory operations: 

[0062] 

. Initialization: Upon receiving the initial revoked certificates list, the directory computes by itself the whole 2-3 tree, 
checks the root value, tree height and time stamp, and verifies the CA's signature on these values. 

. Response to CA's update- The directory updates the tree according to the modified parameters received from 
the ^r^is results Recomputed path and authenticated directory root. Having done so it checks verrf.es the so 

match, in which case the procedure terminates successfully. By this part.cular embod.ment the root value, tree 
height and time stamp, all have to match (the time, of course, within reasonable mterval). 
. Response to user's queries: To answer a user query, the directory supplies the user with the authenticated root 
value, tree height and time stamp. 

1 If the queried certificate is revoked, for each node in the path from the root to the leaf corresponding to the 
mipried certificate the directory supplies the user its value and its children values. 

2 The Z^So^L is nrf revoked (not in the list), the directory supplies the user the ^ la- 
bouring leaves I, , k such that the value of *, (resp. I 2 ) is smaller (resp. larger) than the queried serial number. 
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[0063] Note that to reduce the communication costs, the directory need not send the node values on the path from 
?lnl°t p T T r T red f ° r USSr t0 C ° mpUt6 the entire Search P ath The ,a ^ was exemplified in 

thtseaXa^ 

5 

User Operations: 

[0064] The user first verifies the CA's signature on the certificate and checks the certificate expiration date Then 

o to a Zr^T 3 qUSry f V S rtE the direCt ° ry the ° em,Caie Serial nUmber S - Upon receivin 9 ** *«*»y* an Swe ; 

o to a query, the user verifies the CA s signature on the root value, tree height and time stamp. 

1. If the directory claims the queried certificate is revoked, the user checks the leaf to root path supplied by the 
directory by applying the hash function/). ■ y 

5 h. : » ? a ? S thS qUefied C6rtifiCate iS not revoked ' the user checks the two P^hs supplied by the 

directory and checks that they lead to two adjacent leaves in the 2-3 tree, with values /, , k The user checks that 

sUrchitr?th S ,tT?h in ? 9 t 2 l f ° r autnenticatina x (i-e- claiming that x does not belong to the revocation list) the 
search path that authenticate the adjacent members x1 and x2 are transmitted, where xl < x < x2. 

> f^nl ' n , ab ° Ve ? he f me ' the communlcation costs °f verifying that a certificate was not revoked may be twice 
the communication costs of ver.fying that a certificate is in the list. To overcome this, the tree may be built such that 
mT?, t0 T COnSeCutive serial number thus hwing to send only one path in either case. Since the 
nTZ k ^ V ° r h ° ldin9 the V3lUe ° f 3 tfee node ' Le - the hash ,unction Parameter (, hash in the 

notation below) ,s more than twice the bits needed for holding a certificate serial number, this does not influence the 

™~ T T COnneCt '° n " iS reCa " ed ,h8t Certifhate ° r item embrace < amo "9 st °ther, ^ge of values 
™SL ?r tl0n 13 dra T t0 Fl ' 9 ' 4 illUStrating 3 System confi 9 ur ation according to another embodiment of the 
invention. Thus, some protocols avoid the need for a revocation system by using short-term certificates, (e.g. micro- 

ZZvLZtT I C f m T ° Wner ^ 03086 3 Hmited dama9e ^ These certificates are issued daily 
£f«Z n J !? ? d 7 ° f ' SSUe ' ACtUa " y ' 6Ven Sh ° rter Peri0ds are desired and the m ain limit is due to the 
increase m the certification authorrty computation (certificates for all users have to be computed daily) and communi- 
cation (certificates should be sent to their owners) short-term certificates cause ' 
E,?f ? „ An on -" ne/off ; line di 9 jtal si 9 nature sch eme (like CRS) will reduce the computation the CA has to perform 
ust 1? S ' 9nif,Cantly the -mmunication costs, since the CA has to send different messages to difflZt 

users makmgtheCAacommunication bottleneck. ThiscallsforasolutionwheretheCAperformsasimplcomputetfon 
say concerning only new users and users whose certificates are not renewed) and sends a common update message 
If 7? me ! Sa9e ' SXaCtly a " USerS With non - rev °ked certificates should be able to prove the validity of 

heir certificates. To meet the latter embodiment, a simple modification to the certificate revocation scheme is proposed 
to yield an efficient certificate update scheme in which the CA sends the same update message to all users in this 

^S^pTT^^ 6XiStenCe ° f 3 dirSC,0ry (SeS Fi9 ' 4) Wlth in, ° rmati0n ab ° Ut 311 certificates . 
of local directories that may hold the latest messages that are sent by the directory. 

IS^l f As t bef0re ' the scheme is based on a tree of revoked certificates (or, otherwise, valid certificates) created by 
n^ tn ^T ; h presented above - Since there is "> ™V to extract certificates from a directory every user 

h?k f th8t bS Upd3ted USiP9 th8 CA ' S meSsa 9 es - Specifica "* the CA augments every 7ssued 
™iS % ^ P3th Pr ° Vlng itS V3lidity ' thiS is the on, y part of the certificate that j s "Pdated periodically. 
^IJ^ZTf Ce f h iCateS SimU,taneousl * the CA its copy of the tree, and publishes the'tree paths 

that where changed since the previous update (constituting one, non limiting form of induced sub-tree), (see Fig 5A) 
%Z"% 9 3 n ° n - revoked certificate intersects ite self path with the induced tree preferably by locating the 
v up to the root) . All users holding a revoked certificate can not update their path, unless they crack the one way 
T2TTh S „*? N AS Sh ° Wn in ^ 56 the US6r bri " 9 int ° ^"^dence the serf path with the induced 

istZTr I™ T T m ° St disCrepanc y node (desgnated by dot 100 in Fig. 5A). What remains to be done 
»1 t h f ° m S ° d6teCted n0de t0 the r00t 3nd *° authenticate the root and verify it vis^vis the 
™lu 7 r00 i V tt tr3nSmitted fr ° m the CA ' The ,atter P rocedure * obviously very cost effective in terms of the 
computation overhead that is posed on each user. 

[0070] Since the CA communication is reduced, one may use this update scheme for, say, updating certificates once 
every hour. This may cause some users to lag in updating their certificates, and the local directories should save several 
™!LZ f T? 96S j e g USin9 Conven1ional P rc *y servers ). and some aggregate updates (combining update 
messages of a day) enabl.ng users that lag several days to update their certificates 

[0071] The latter specific description is defined more generally as follows, a method according to Claim 6, in a CA 
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user scheme comprising: 
the CA executing: 



(i) updating said search tree so as to obtain updated nodes; 

(ii) computing an authentication path as induced by said updated nodes; and 

(iii) authenticating at least said root modified node by a digital signature; 

(iv) transmitting induced sub-tree to said user; 



the user executing: 

(i) intersecting said induced sub-tree with user self path and obtaining user authenticated root value; 
CO verifying that the authenticated CA root value matched the authent,cated user value. 
[0072] Those versed in the art will readily apprectete that the realization of the embodiments , of TTgjS and 4 are not 

Evaluation 

[00 73] .nthefollowing.thecommunication^ 

of the invention are compared. Basing on this analysis, there ,s shown that the proposed system is more 
changes in parameters, and allows higher update rates than the other. 
[0074] Other advantages of the proposed scheme are. 

. r n ; c e A ^ 

. Ano^sTquenceo^ 

bottlenecks in the communication network. 

Communication Costs 

[0075] The parameters we consider are: 

. n - Estimated total number of certificates (n = 3, 000, 000). 

. * - Estimated average number of certificates handled by a CA {k- 30, 000) assume d that 

. p - Estimated fraction of cert'rficates that will be revoked prior to their expiration IP^Jg 15 assumed 

certificates are issued for one year, thus, the number of certificates revoked daily is 365 
. q - Estimated number of certificate status queries issued per day 
. (g= 3, 000, 000). 
. T- Number of updates per day (T= 1). 

. / - Number of bits needed to hold a certificate serial number (l sn - 20). 

. Number of bits needed to hold the certificate revocation status numbers V^and N 0 (U- 100). 

. ij- Length of signature (l sig = 1,000). 

. i hash - Security parameter for the hash function (/ tes/ , - 128). 

[0076] Values for n,k,p,q, T,l s „ l stat are taken from Micali [18], ^ and l hash are specific to our scheme. 



[0077] 

. The CRL daily update cost is T.n.p-^ since each CA sends the whole CRL to the directory in each update. An 
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alternative update procedure where the CA sends to the directory only a difference list (which serai numbers to 
add/remove from the previous CRL) costs: 

~36S~ 

• The CRL daily query costs is q.p.kl sn since for every query the directory sends the whole CRL to the querying user. 
CRL Cost 

[0078] 

" Itatus RS daHy UPd3te C ° St ^ ^ ° s " + W SinCe f ° r 6Vefy certificate the C A sends '^r bits of certificate revocation 

• The CRS daily query cost is l stat .q. 

The proposed scheme 

[0079] To update the directory, the CA sends the difference lists of total daily length of Hfin. + T. I sig 

' togTwmT"' 5 qU8ry ' dirSCt0ry S6ndS " P 10 2 '° 92 (P k) nUmbSrS ' 6aCh <hash bitS IOn9 ' t0talin9 2 "'^ 

[0080] The following table shows the estimated daily communications costs (in bits) according to the three schemes. 





CRL 
Costs 


CRS 
Costs 


Proposed 
Scheme 


Daily update 
(CA-directory) 


6-1 0 6 


3.6-1 0 8 


1.7-104 


Daily queries 
(Directory-users) 


1.8-1011 


3-108 


7-10 9 



[008 ] As shown in the table, the proposed scheme costs are lower than CRL costs both in CA-to-directory and in 
directory-to-users communication. The CA-to-directory costs are much lower than the corresponding CRS costs but 
the directory-to-user (and thus the over all) communication costs are increased. Note that in practice, due to commu- 
tation overheads, the difference between CRS and the proposed method in Directory-to-users communication may 
be insignificant. 7 
[0082] The proposed scheme is more robust to changes in parameters than CRL and CRS. Since these are bound 
to change in time or due to the specific needs of different implementations, it is important to have a system that is 
robust to such changes. 1 
[0083] Changes will occur mainly in the total number of certificates (n) and the update rate (7) In the proposed 
method, changes in n are moderated by a factor of p. Changes in Tare moderated by the fact that the update com- 
munication costs are not proportional to nTbut to T. Figure 8 shows how the CA-to-directory update communication 
costs of the three methods depend on the update rate (all other parameters are held constant). The update commu- 
nication costs limit CRS to about one update a day (Another factor that limits the update rate is the amount of compu- 
tation needed by a user in order to verify that a certificate was not revoked). The proposed scheme is much more 
robust, even allowing once per hour updates. 

[0084] The present invention has been described with a certain degree of particularity, but it should be understood 
that various modifications and alterations may be made Without departing from the scope or spirit of the invention as 
defined by the following claims: 



1 . A memory containing an authenticated search tree that serves for authenticating membership or non membership 
of items in a set; the authenticated search tree, comprising: 

a search tree having nodes and leaves and having associated therewith a search scheme; the nodes including 
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dynamic search values and the leaves including items of said set; the nodes ™ "T^^^' 
cLtographic hash function value that is produced by applying a cryptographs hash function to at least. (I) 
the cryptographic hash values of the children nodes and (II) the dynamic search value o sa d node, 
at lealt the root node of said authenticated search tree is authenticated by a d.grtal signature-. 

An authenticated search tree accordingto claim 1 wherein said cryptographic hash function being of the universal 
function that is unique to each internal node. 

A search authenticated tree of Claim 1 , wherein said search tree being Btree. 

A search authenticated tree of Claim 1 , wherein said search tree being 2-3. tree. 

A method for authenticating membership or non membership of items in a set; comprising: 

one item and the root. 

A method for updating at least one item of a set in an authenticated search tree, comprising: 

(i) providing a search authenticated tree as defined in Claim 1; 

(ii) updating said search tree so as to obtain updated nodes; 

(iii) computing an authentication path as induced by said updated nodes; and 

(iv) authenticating at least said root modified node by a digital signature. 

A method according to Claim 5, in a CA, directory, user scheme, wherein said step (ii), includes: 

(a)theuserprovidingtoadirectoryalistof at least one item for authenticating membership or non membership 
2>t! S^CS— n 9 to a user the authentication pa.h(s) as induced by said at least 
one item; the directory further transmitting said authenticated root; and 
(c) the user verifying said items. 

A method according to Claim 6 ; in a CA directory user scheme comprising the steps of: 

the CA executing: 

(i) updating said search tree so as to obtain updated nodes; 
ii) computing an authentication path as induced by said updated nodes; and 

(iii) authenticating at least said root modified node by a digital signature; 

(iv) transmitting modified parameters to said directory; 

the directory executing: 
(i> applying said modification parameters, so as to obtain authenticated directory root value; 
(!) verifying that the authenticated CA root value matched the authenticated directory value. 

A method according to Claim 6, in a CA user scheme comprising: 
the CA executing: 

(i) updating said search tree so as to obtain updated nodes; 
ii) computing an authentication path as induced by said updated nodes; and 
(iii) authenticating at least said root modified node by a digital signature; 

(v) transmitting induced sub-tree to said user; 

the user executing: 

(iii) intersecting said induced sub-tree with user self path and obtaining -er authenticated root value; 

(iv) verifying that the authenticated CA root value matched the authenticated user value. 



12 



EP 0 932 109 A2 



00* 




13 



EP 0 932 109 A2 




(19) 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



(88) Date of publication A3: 

18.06.2003 Bulletin 2003/25 



(43) Date of publication A2: 

28.07.1999 Bulletin 1999/30 



(21) Application number: 99400130.3 

(22) Date of filing: 21.01.1999 



IWlllIIWllUllil 

(11) EP 0 932 109 A3 

EUROPEAN PATENT APPLICATION 

(51) Intel/: G06F 17/30, H04L 9/32 



(84) Designated Contracting States: 

AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 
MC NL PT SE 

Designated Extension States- 
ALLTLVMKRO SI 

(30) Priority: 22.01.1998 US 10571 

(71) Applicant: YEDA RESEARCH & DEVELOPMENT 
COMPANY, LTD. 
76100 Rehovot(IL) 



(54) A method for authentification item 

(57) A memory containing an authenticated search 
tree that serves for authenticating membership or non 
membership of items in a set. The authenticated search 
tree including a search tree having nodes and leaves 
and being associated with a search scheme. The nodes 
including dynamic search values and the leaves includ- 



(72) Inventors: 

• Naor, Mom- 
Tel Aviv 69122 (IL) 

• Nissim, Yaacov 
Ramat-Gan 52525 (IL) 

(74) Representative: Moutard, Pascal Jean et al 
Cabinet Beau de Lomenie 
158, rue de I'Universite 
75340 Paris Cedex 07 (FR) 



ing items of the set The nodes are associated, each, 
with a cryptographic hash function value that is pro- 
duced by applying a cryptographic hash function to the 
cryptographic hash values of the children nodes and to 
the dynamic search value of the node. The root node of 
the authenticated search tree is authenticated by a dig- 
ital signature. 




Printed by Jouve, 75001 PARIS (FR) 



EP 0 932 109 A3 



EUROPEAN SEARCH REPORT 



EP 99 40 0130 



D OCUMENTS CONSIDERED TO BE RELEVANT 

Citation of doeumanl with if 



D,A 



US 4 309 569 A (HERKLE RALPH C) 
5 January 1982 (1982-01-95) 
* the whole document * 

AH0ETAL.: "DATA STRUCTURES AMD 

W82 R ! T ADDIS0N-WESLEY , READING (US) 
XPQ02238504 
page 169 - page 174 * 

US 5 826 254 A (KAHH CLIFFORD EARL) 
20 October 1998 (1998-10-20) 
column 3, line 59 - column 4, line 13 

NAOR M ET AL: "Certificate revocation and 
SkSSS OF^THe" SEVENTH USENIX SECURITY 
SYMPOSIUM, PROCEEDINGS OF THE SEVENTH 
USEHIX SECURITY SYMPOSIUM, SAN ANTONIO, 
TX, USA, 26-29 JAM- 1998. 

pages 217-228. XP002238503 
1998. Berkeley. CA. USA. USENIX Assoc, USA 
ISBN: 1-880446-92-8 

* the whole document * 

WO 97 43842 A (INTEGRIS SECURITY INC) 
20 November 1997 (1997-11-20) 

* abstract * 

* page 16, line 9 - page 17. line 7 
page 25. line 18 - page 26, line 5 * 



G06F17/30 
H04L9/32 



The present search report has been drawn up for all darns 



TECHNICAL FIELDS 
SEARCHED (Ht.CI.6) 



H04L 

G06F 



THE HAGUE 



16 April 2003 



Hoi per, G 



CATEGORY OF CITED DOCUMENTS 



rot'^lrttha eppfiMBon 



2 



EP0 932 109 A3 



ANNEX TO THE EUROPEAN SEARCH REPORT 
ON EUROPEAN PATENT APPLICATION NO. 



EP 99 40 0130 



P ^ f ^' y re*^ to Patent documents cited in 

The members are as contained m the European Patent Office EDP (He on 
The European Patent Office is in no way liable for these pi 



ven lor the purpose of information. 

16-04-2003 



G5-01-1982 NONE 



US 5826254 



20-10-1998 NONE 



20-11-1997 US 
AU 
GB 
W0 
US 
US 

us 



5903651 A 
3124997 A 
2330504 A 
9743842 Al 
6532540 Bl 
2002188843 Al 
6442689 Bl 



11-05-1999 
05-12-1997 
21-04-1999 
20-11-1997 

11- 03-2003 

12- 12-2002 
27-08-2002 



& For more details about this ar 



:: see Official Journal ofthe European Patent Office, No. 12/82 



3 



